Don't Use NSA-Influenced Code in Our Products, Security Company Warns

The National Security Agency (NSA) has sabotaged at least one of the security standards used to secure many online and offline transactions, according to a Sept. 5 New York Times article.

Which standards? The Times didn't reveal the names, but Tom's Guide and several others speculated that one of them was an algorithm called Dual_EC_DRBG, used to generate random numbers for encryption purposes.

RSA Security clearly agrees. In an emailed advisory, the computer and network security company warned its developer community not to use Dual_EC_DRBG, which is an option in many of its developer tool kits and the default selection in one of them.

To "ensure a high level of assurance in their application, RSA strongly recommends that customers discontinue use of Dual_EC_DRBG and move to a different [algorithm]," RSA wrote.

MORE: 13 Security and Privacy Tips for the Truly Paranoid

"Under no circumstances does RSA design or enable any backdoors in our products," RSA Security said in a statement on its website.

Dual_EC_DRBG is not in any of RSA Security's SecurID identification key fobs, which are commonly used to verify users logging in to corporate and government VPNs.

It should also be noted that RSA Security is different than the encryption algorithm known as RSA, which many websites use to encrypt their visitors' connections.

Dual_EC_DRBG was co-developed by the NSA. In 2006, the algorithm was published as a standard by the National Institute of Standards and Technology (NIST), a branch of the U.S. Department of Commerce that reviews and publishes standard practices for governmental organizations.

All of NIST's standards are publicly reviewed by field experts, and many nongovernmental organizations — RSA Security among them — use NIST's standards because of their high quality.

Dual_EC_DRBG passed NIST's original public review period, but in 2007, two Microsoft researchers found a "backdoor" in the algorithm, meaning that the algorithm was written in such a way that anyone with a certain passcode could predict what numbers the algorithm would generate.

"We have no way of knowing whether the NSA knows the secret numbers that break Dual_EC_DRBG," wrote security expert Bruce Schneier in a 2007 Wired op-ed, though, in the same piece, he also noted that Dual_EC_DRBG was slower than other available methods and was "in the standard only because it's been championed by the NSA."

Despite these warnings, Dual_EC_DRBG became widely adopted. NIST maintains a list of companies that currently use Dual_EC_DRBG in their products, and it includes BlackBerry, Juniper Networks and Cisco Systems.

A spokeswoman for Cisco Systems said she would "check into this."

RSA Security is the first company to come out against using a NIST-endorsed security standard, but it probably won't be the last.

NIST maintains that it does not know of any NSA-created backdoors in its standards. "NIST would not deliberately weaken a cryptographic standard," the agency said in a Sept. 10 statement on its website.

However, on Sept. 9, NIST reopened Dual_EC_DRBG for public review, and recommended that the algorithm not be used until the review process is concluded.

Understandably, many cryptographers aren't ready to take NIST's word for it.

"We'll have to re-evaluate that relationship," cryptographer Matthew Green of Johns Hopkins University wrote on his blog. "While the possibility of a backdoor in any of [NIST's] components does seem remote, trust has been violated."

Email jscharr@techmedianetwork.com or follow her @JillScharr. Follow us @TomsGuide, on Facebook and on Google+.

About the author
Read more
This thread is closed for comments
11 comments
    Top Comments
  • National security? Please.

    It's just a way to stop people from revolting. You know how the Government talks about terrorists? Well, the founding fathers would be deemed terrorists from whence they came. Yet they're pictured as freedom fighters.

    I do wonder why the British and American Governments haven't been burnt to rubble and the workers, leaders and managers lynched to death.

    Probably because of that new iPhone. Isn't it amazing!?

    *Mumble Grumble*
    11
  • Other Comments
  • This isn't very surprising since the NSA / govt puts tight restrictions on encryption for the sake of national security. Normally I wouldn't have a problem with this but there is always room for abuse of our privacy so why give them a chance to do it?
    5
  • National security? Please.

    It's just a way to stop people from revolting. You know how the Government talks about terrorists? Well, the founding fathers would be deemed terrorists from whence they came. Yet they're pictured as freedom fighters.

    I do wonder why the British and American Governments haven't been burnt to rubble and the workers, leaders and managers lynched to death.

    Probably because of that new iPhone. Isn't it amazing!?

    *Mumble Grumble*
    11
  • I seriously doubt it's a backdoor and that RSA's algorithms are that much better. More than likely it's just an error in the algorithm. I haven't seen a single CSPRNG that didn't have bugs the first time around. Getting random right is incredibly hard. If you need further proof just look into RANDU.
    -7